Ubuntu Server Hacked — What I can do to figure out how and to prevent it?
My server is hacked. It happens every day. I restart it and it works for a while before it goes down again. I am wondering if anyone in the community has had a similar issue and how did they resolve it?
There are a few things from what I can see. First, there are users added to the database. Second, it happens daily around 6:40 AM. Third, the CPU load goes to 100% while there are almost no processes running.
It is a Linode server with Ubuntu, running Apache, MySQL and PHP 7.1. There is a Laravel web application as the main application, along with WordPress and some other software.
htop shows this:
top, ps aux, etc. have similar output. CPU load is 100%, while all processes add up to 5 - 6%.
The Apache and all the other logs are showing some activity. I can see a link to some porn site here:
The MySQL log shows that it has shut down:
MySQL log screenshot
And these are the graphs:
Another weird thing in the Apache access log is this entry:
Here are the two entries in text format:
103.23.35.167 - - [31/Jan/2019:06:28:01 +0000] "GET / HTTP/1.1" 302 1309 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) Apple WebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
109.252.14.217 - - [31/Jan/2019:06:37:24 +0000] "xc1rx07x10;xb51Yxe0xf0x16+xe0x13Ix1axe1xffcx9c3Mxaex19^xe9x9ex16x1dx8dx19x9bxabx98xa8?xf8xc19N[,xb8xb2x95-x15x1fx8fx86xfaxf7xdePxb8xbfx88Yqx92lCxb5x8b$px03xa0xb7xe0x9emx10xc1x07x91rxx98xd3C$@xb4xeaxffxbbx89xd8l8Ix0elxd8x94xa5xa3yGJcxabx1excbxe0#xdfNx01 x120x1e3vx97[xbd.xb0xf3Qz-x81_xeex1bpnxe3yxa6x7fxacxd7THxb4xb5.Wx82axa3x97Ixb01xbax0exe1xdcxf6x17#x05x91xfcZxa4xe9x18t`xd6xa1x18xb0xbd'x02xb7=x98xee;x1f{xd3xc1xefxbbxf1x96=x85xcexfex12wxffbxdcxb8x05xeb3~xeeEx18Cfx8dFxf2Lm;x86rx1a7xfc~xfbxcex99xc2xffxf9x94xe6x9bxb6x/1vx85x88x8bxd1xc7~)Kr0x04x99}xafx17x7fp2x80<x8bb9TO2xf7x9d/xaaxe9x88xecxb4x14Fx1dxc5Hx18qxbaxa3Wg/x9en" 400 0 "-" "-"
31.24.207.139 - - [31/Jan/2019:06:46:12 +0000] "GET / HTTP/1.1" 500 15532 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7"
and
51.75.66.250 - - [02/Feb/2019:08:55:36 +0000] "GET /mysite/ HTTP/1.0" 301 545 "http://porn.auntie.hotblognetwork.com" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36"
51.75.66.250 - - [02/Feb/2019:08:55:39 +0000] "GET /mysite/ HTTP/1.0" 500 3828 "https://appsforce.org/mysite/" "Mozilla/
Any ideas or suggestions are welcome.
ubuntu security
edited Feb 3 at 1:13
JakeGould
32.2k1098141
asked Feb 2 at 11:00
Apps ForceApps Force
194
add a comment |
My server is hacked. It happens every day. I restart it and it works for a while before it goes down again. I am wondering if anyone in the community has had a similar issue and how did they resolve it?
There are a few things from what I can see. First, there are users added to the database. Second, it happens daily around 6:40 AM. Third, the CPU load goes to 100% while there are almost no processes running.
It is a Linode server with Ubuntu, running Apache, MySQL and PHP 7.1. There is a Laravel web application as the main application, along with WordPress and some other software.
htop shows this:
top, ps aux, etc. have similar output. CPU load is 100%, while all processes add up to 5 - 6%.
The Apache and all the other logs are showing some activity. I can see a link to some porn site here:
The MySQL log shows that it has shut down:
MySQL log screenshot
And these are the graphs:
Another weird thing in the Apache access log is this entry:
Here are the two entries in text format:
103.23.35.167 - - [31/Jan/2019:06:28:01 +0000] "GET / HTTP/1.1" 302 1309 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) Apple WebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
109.252.14.217 - - [31/Jan/2019:06:37:24 +0000] "xc1rx07x10;xb51Yxe0xf0x16+xe0x13Ix1axe1xffcx9c3Mxaex19^xe9x9ex16x1dx8dx19x9bxabx98xa8?xf8xc19N[,xb8xb2x95-x15x1fx8fx86xfaxf7xdePxb8xbfx88Yqx92lCxb5x8b$px03xa0xb7xe0x9emx10xc1x07x91rxx98xd3C$@xb4xeaxffxbbx89xd8l8Ix0elxd8x94xa5xa3yGJcxabx1excbxe0#xdfNx01 x120x1e3vx97[xbd.xb0xf3Qz-x81_xeex1bpnxe3yxa6x7fxacxd7THxb4xb5.Wx82axa3x97Ixb01xbax0exe1xdcxf6x17#x05x91xfcZxa4xe9x18t`xd6xa1x18xb0xbd'x02xb7=x98xee;x1f{xd3xc1xefxbbxf1x96=x85xcexfex12wxffbxdcxb8x05xeb3~xeeEx18Cfx8dFxf2Lm;x86rx1a7xfc~xfbxcex99xc2xffxf9x94xe6x9bxb6x/1vx85x88x8bxd1xc7~)Kr0x04x99}xafx17x7fp2x80<x8bb9TO2xf7x9d/xaaxe9x88xecxb4x14Fx1dxc5Hx18qxbaxa3Wg/x9en" 400 0 "-" "-"
31.24.207.139 - - [31/Jan/2019:06:46:12 +0000] "GET / HTTP/1.1" 500 15532 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7"
and
51.75.66.250 - - [02/Feb/2019:08:55:36 +0000] "GET /mysite/ HTTP/1.0" 301 545 "http://porn.auntie.hotblognetwork.com" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36"
51.75.66.250 - - [02/Feb/2019:08:55:39 +0000] "GET /mysite/ HTTP/1.0" 500 3828 "https://appsforce.org/mysite/" "Mozilla/
Any ideas or suggestions are welcome.
ubuntu security
edited Feb 3 at 1:13
JakeGould
32.2k1098141
asked Feb 2 at 11:00
Apps ForceApps Force
194
1
The only thing you can do is basically clean up your code and possible nuke the server and redeploy the code on the new server. I would recommend installing Sucuri Security plug-in and then reviewing the tips on this Sucuri site page.
– JakeGould
Feb 3 at 1:16
1
Actually, looking at this, you are right - Those python scripts are running as root. Its game over for that VM.
– davidgo
Feb 3 at 1:22
Apps Force, it is a heck of a lot easier to read text than to read a screen shot. For future use, the screenshot 1, 2, and 4 could be replaced with text; can't do anything about #3 since it is a graph.
– K7AAY
Feb 4 at 19:37
add a comment |
My server is hacked. It happens every day. I restart it and it works for a while before it goes down again. I am wondering if anyone in the community has had a similar issue and how did they resolve it?
There are a few things from what I can see. First, there are users added to the database. Second, it happens daily around 6:40 AM. Third, the CPU load goes to 100% while there are almost no processes running.
It is a Linode server with Ubuntu, running Apache, MySQL and PHP 7.1. There is a Laravel web application as the main application, along with WordPress and some other software.
htop shows this:
top, ps aux, etc. have similar output. CPU load is 100%, while all processes add up to 5 - 6%.
The Apache and all the other logs are showing some activity. I can see a link to some porn site here:
The MySQL log shows that it has shut down:
MySQL log screenshot
And these are the graphs:
Another weird thing in the Apache access log is this entry:
Here are the two entries in text format:
103.23.35.167 - - [31/Jan/2019:06:28:01 +0000] "GET / HTTP/1.1" 302 1309 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) Apple WebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
109.252.14.217 - - [31/Jan/2019:06:37:24 +0000] "xc1rx07x10;xb51Yxe0xf0x16+xe0x13Ix1axe1xffcx9c3Mxaex19^xe9x9ex16x1dx8dx19x9bxabx98xa8?xf8xc19N[,xb8xb2x95-x15x1fx8fx86xfaxf7xdePxb8xbfx88Yqx92lCxb5x8b$px03xa0xb7xe0x9emx10xc1x07x91rxx98xd3C$@xb4xeaxffxbbx89xd8l8Ix0elxd8x94xa5xa3yGJcxabx1excbxe0#xdfNx01 x120x1e3vx97[xbd.xb0xf3Qz-x81_xeex1bpnxe3yxa6x7fxacxd7THxb4xb5.Wx82axa3x97Ixb01xbax0exe1xdcxf6x17#x05x91xfcZxa4xe9x18t`xd6xa1x18xb0xbd'x02xb7=x98xee;x1f{xd3xc1xefxbbxf1x96=x85xcexfex12wxffbxdcxb8x05xeb3~xeeEx18Cfx8dFxf2Lm;x86rx1a7xfc~xfbxcex99xc2xffxf9x94xe6x9bxb6x/1vx85x88x8bxd1xc7~)Kr0x04x99}xafx17x7fp2x80<x8bb9TO2xf7x9d/xaaxe9x88xecxb4x14Fx1dxc5Hx18qxbaxa3Wg/x9en" 400 0 "-" "-"
31.24.207.139 - - [31/Jan/2019:06:46:12 +0000] "GET / HTTP/1.1" 500 15532 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7"
and
51.75.66.250 - - [02/Feb/2019:08:55:36 +0000] "GET /mysite/ HTTP/1.0" 301 545 "http://porn.auntie.hotblognetwork.com" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36"
51.75.66.250 - - [02/Feb/2019:08:55:39 +0000] "GET /mysite/ HTTP/1.0" 500 3828 "https://appsforce.org/mysite/" "Mozilla/
Any ideas or suggestions are welcome.
ubuntu security
edited Feb 3 at 1:13
JakeGould
32.2k1098141
asked Feb 2 at 11:00
Apps ForceApps Force
194
My server is hacked. It happens every day. I restart it and it works for a while before it goes down again. I am wondering if anyone in the community has had a similar issue and how did they resolve it?
There are a few things from what I can see. First, there are users added to the database. Second, it happens daily around 6:40 AM. Third, the CPU load goes to 100% while there are almost no processes running.
It is a Linode server with Ubuntu, running Apache, MySQL and PHP 7.1. There is a Laravel web application as the main application, along with WordPress and some other software.
htop shows this:
top, ps aux, etc. have similar output. CPU load is 100%, while all processes add up to 5 - 6%.
The Apache and all the other logs are showing some activity. I can see a link to some porn site here:
The MySQL log shows that it has shut down:
MySQL log screenshot
And these are the graphs:
Another weird thing in the Apache access log is this entry:
Here are the two entries in text format:
103.23.35.167 - - [31/Jan/2019:06:28:01 +0000] "GET / HTTP/1.1" 302 1309 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) Apple WebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
109.252.14.217 - - [31/Jan/2019:06:37:24 +0000] "xc1rx07x10;xb51Yxe0xf0x16+xe0x13Ix1axe1xffcx9c3Mxaex19^xe9x9ex16x1dx8dx19x9bxabx98xa8?xf8xc19N[,xb8xb2x95-x15x1fx8fx86xfaxf7xdePxb8xbfx88Yqx92lCxb5x8b$px03xa0xb7xe0x9emx10xc1x07x91rxx98xd3C$@xb4xeaxffxbbx89xd8l8Ix0elxd8x94xa5xa3yGJcxabx1excbxe0#xdfNx01 x120x1e3vx97[xbd.xb0xf3Qz-x81_xeex1bpnxe3yxa6x7fxacxd7THxb4xb5.Wx82axa3x97Ixb01xbax0exe1xdcxf6x17#x05x91xfcZxa4xe9x18t`xd6xa1x18xb0xbd'x02xb7=x98xee;x1f{xd3xc1xefxbbxf1x96=x85xcexfex12wxffbxdcxb8x05xeb3~xeeEx18Cfx8dFxf2Lm;x86rx1a7xfc~xfbxcex99xc2xffxf9x94xe6x9bxb6x/1vx85x88x8bxd1xc7~)Kr0x04x99}xafx17x7fp2x80<x8bb9TO2xf7x9d/xaaxe9x88xecxb4x14Fx1dxc5Hx18qxbaxa3Wg/x9en" 400 0 "-" "-"
31.24.207.139 - - [31/Jan/2019:06:46:12 +0000] "GET / HTTP/1.1" 500 15532 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7"
and
51.75.66.250 - - [02/Feb/2019:08:55:36 +0000] "GET /mysite/ HTTP/1.0" 301 545 "http://porn.auntie.hotblognetwork.com" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36"
51.75.66.250 - - [02/Feb/2019:08:55:39 +0000] "GET /mysite/ HTTP/1.0" 500 3828 "https://appsforce.org/mysite/" "Mozilla/
Any ideas or suggestions are welcome.
ubuntu security
ubuntu security
edited Feb 3 at 1:13
JakeGould
32.2k1098141
asked Feb 2 at 11:00
Apps ForceApps Force
194
edited Feb 3 at 1:13
JakeGould
32.2k1098141
asked Feb 2 at 11:00
Apps ForceApps Force
194
edited Feb 3 at 1:13
JakeGould
32.2k1098141
edited Feb 3 at 1:13
JakeGould
32.2k1098141
edited Feb 3 at 1:13
JakeGould
32.2k1098141
32.2k1098141
asked Feb 2 at 11:00
Apps ForceApps Force
194
asked Feb 2 at 11:00
Apps ForceApps Force
194
asked Feb 2 at 11:00
Apps ForceApps Force
194
194
1
The only thing you can do is basically clean up your code and possible nuke the server and redeploy the code on the new server. I would recommend installing Sucuri Security plug-in and then reviewing the tips on this Sucuri site page.
– JakeGould
Feb 3 at 1:16
1
Actually, looking at this, you are right - Those python scripts are running as root. Its game over for that VM.
– davidgo
Feb 3 at 1:22
Apps Force, it is a heck of a lot easier to read text than to read a screen shot. For future use, the screenshot 1, 2, and 4 could be replaced with text; can't do anything about #3 since it is a graph.
– K7AAY
Feb 4 at 19:37
add a comment |
1
The only thing you can do is basically clean up your code and possible nuke the server and redeploy the code on the new server. I would recommend installing Sucuri Security plug-in and then reviewing the tips on this Sucuri site page.
– JakeGould
Feb 3 at 1:16
1
Actually, looking at this, you are right - Those python scripts are running as root. Its game over for that VM.
– davidgo
Feb 3 at 1:22
Apps Force, it is a heck of a lot easier to read text than to read a screen shot. For future use, the screenshot 1, 2, and 4 could be replaced with text; can't do anything about #3 since it is a graph.
– K7AAY
Feb 4 at 19:37
1
1
The only thing you can do is basically clean up your code and possible nuke the server and redeploy the code on the new server. I would recommend installing Sucuri Security plug-in and then reviewing the tips on this Sucuri site page.
– JakeGould
Feb 3 at 1:16
The only thing you can do is basically clean up your code and possible nuke the server and redeploy the code on the new server. I would recommend installing Sucuri Security plug-in and then reviewing the tips on this Sucuri site page.
– JakeGould
Feb 3 at 1:16
1
1
Actually, looking at this, you are right - Those python scripts are running as root. Its game over for that VM.
– davidgo
Feb 3 at 1:22
Actually, looking at this, you are right - Those python scripts are running as root. Its game over for that VM.
– davidgo
Feb 3 at 1:22
Apps Force, it is a heck of a lot easier to read text than to read a screen shot. For future use, the screenshot 1, 2, and 4 could be replaced with text; can't do anything about #3 since it is a graph.
– K7AAY
Feb 4 at 19:37
Apps Force, it is a heck of a lot easier to read text than to read a screen shot. For future use, the screenshot 1, 2, and 4 could be replaced with text; can't do anything about #3 since it is a graph.
– K7AAY
Feb 4 at 19:37
add a comment |
1 Answer
1
active
oldest
votes
The first thing I notice is that one of those requests seems to be shellcode from 109.252.14.217. That IP doesn't show up on any proxy/VPN lists, but it also doesn't mean that its your "cracker's" real IP. Above someone said that your server is done for because of that python script running as root. Which is not necessarily true. It is very bad, but not a death sentence. The first thing I would do (if you can) is reboot. If the attacker hasn't gotten persistence yet then that could kill his shell if he has one. Check your bash history file for any suspicious looking commands that you haven't entered, recent modification, or lack of anything in it. If the cracker is clumsy he'll leave traces there. Run "netstat -np" to see if there are any suspicious connections. If there is a reverse TCP or HTTP connection and it's tied to the PID of that running python program then either block it with your firewall or kill the process. These are some of the first things I would do. But I'm no hacker so...
answered Feb 4 at 19:25
n0den0de
11
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1401290%2fubuntu-server-hacked-what-i-can-do-to-figure-out-how-and-to-prevent-it%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The first thing I notice is that one of those requests seems to be shellcode from 109.252.14.217. That IP doesn't show up on any proxy/VPN lists, but it also doesn't mean that its your "cracker's" real IP. Above someone said that your server is done for because of that python script running as root. Which is not necessarily true. It is very bad, but not a death sentence. The first thing I would do (if you can) is reboot. If the attacker hasn't gotten persistence yet then that could kill his shell if he has one. Check your bash history file for any suspicious looking commands that you haven't entered, recent modification, or lack of anything in it. If the cracker is clumsy he'll leave traces there. Run "netstat -np" to see if there are any suspicious connections. If there is a reverse TCP or HTTP connection and it's tied to the PID of that running python program then either block it with your firewall or kill the process. These are some of the first things I would do. But I'm no hacker so...
answered Feb 4 at 19:25
n0den0de
11
add a comment |
The first thing I notice is that one of those requests seems to be shellcode from 109.252.14.217. That IP doesn't show up on any proxy/VPN lists, but it also doesn't mean that its your "cracker's" real IP. Above someone said that your server is done for because of that python script running as root. Which is not necessarily true. It is very bad, but not a death sentence. The first thing I would do (if you can) is reboot. If the attacker hasn't gotten persistence yet then that could kill his shell if he has one. Check your bash history file for any suspicious looking commands that you haven't entered, recent modification, or lack of anything in it. If the cracker is clumsy he'll leave traces there. Run "netstat -np" to see if there are any suspicious connections. If there is a reverse TCP or HTTP connection and it's tied to the PID of that running python program then either block it with your firewall or kill the process. These are some of the first things I would do. But I'm no hacker so...
answered Feb 4 at 19:25
n0den0de
11
add a comment |
The first thing I notice is that one of those requests seems to be shellcode from 109.252.14.217. That IP doesn't show up on any proxy/VPN lists, but it also doesn't mean that its your "cracker's" real IP. Above someone said that your server is done for because of that python script running as root. Which is not necessarily true. It is very bad, but not a death sentence. The first thing I would do (if you can) is reboot. If the attacker hasn't gotten persistence yet then that could kill his shell if he has one. Check your bash history file for any suspicious looking commands that you haven't entered, recent modification, or lack of anything in it. If the cracker is clumsy he'll leave traces there. Run "netstat -np" to see if there are any suspicious connections. If there is a reverse TCP or HTTP connection and it's tied to the PID of that running python program then either block it with your firewall or kill the process. These are some of the first things I would do. But I'm no hacker so...
answered Feb 4 at 19:25
n0den0de
11
The first thing I notice is that one of those requests seems to be shellcode from 109.252.14.217. That IP doesn't show up on any proxy/VPN lists, but it also doesn't mean that its your "cracker's" real IP. Above someone said that your server is done for because of that python script running as root. Which is not necessarily true. It is very bad, but not a death sentence. The first thing I would do (if you can) is reboot. If the attacker hasn't gotten persistence yet then that could kill his shell if he has one. Check your bash history file for any suspicious looking commands that you haven't entered, recent modification, or lack of anything in it. If the cracker is clumsy he'll leave traces there. Run "netstat -np" to see if there are any suspicious connections. If there is a reverse TCP or HTTP connection and it's tied to the PID of that running python program then either block it with your firewall or kill the process. These are some of the first things I would do. But I'm no hacker so...
answered Feb 4 at 19:25
n0den0de
11
answered Feb 4 at 19:25
n0den0de
11
answered Feb 4 at 19:25
n0den0de
11
answered Feb 4 at 19:25
n0den0de
11
11
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1401290%2fubuntu-server-hacked-what-i-can-do-to-figure-out-how-and-to-prevent-it%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
The only thing you can do is basically clean up your code and possible nuke the server and redeploy the code on the new server. I would recommend installing Sucuri Security plug-in and then reviewing the tips on this Sucuri site page.
– JakeGould
Feb 3 at 1:16
1
Actually, looking at this, you are right - Those python scripts are running as root. Its game over for that VM.
– davidgo
Feb 3 at 1:22
Apps Force, it is a heck of a lot easier to read text than to read a screen shot. For future use, the screenshot 1, 2, and 4 could be replaced with text; can't do anything about #3 since it is a graph.
– K7AAY
Feb 4 at 19:37